Joint Statement on Contact Tracing: Date 19th April 2020 


The undersigned represent scientists and researchers from across the globe. The current 
COVID-19 crisis is unprecedented and we need innovative ways of coming out of the current 
lockdowns. However, we are concerned that some “solutions” to the crisis may, via mission 
creep, result in systems which would allow unprecedented surveillance of society at large. 

Contact tracing is a well-understood tool to tackle epidemics, and has traditionally been done 
manually. However, manual contact tracing is time-consuming and is limited to people who 
can be identified. 

In some situations, so-called “contact tracing Apps” on peoples’ smartphones may improve 
the effectiveness of the manual contact tracing technique. These Apps would allow the 
persons with whom an infected person had physical interaction to be notified, thus enabling 
them to go into quarantine. The Apps would work by using Bluetooth or geolocation data 
present in smartphones. Though the effectiveness of contact tracing Apps is controversial, 
we need to ensure that those implemented preserve the privacy of their users, thus 
safeguarding against many other issues, noting that such Apps can otherwise be repurposed 
to enable unwarranted discrimination and surveillance. 

Research has demonstrated that solutions based on sharing geolocation (i.e., GPS) to 
discover contacts lack sufficient accuracy and also carry privacy risks because the GPS data 
is sent to a centralized location. For this reason, Bluetooth-based solutions for automated 
contact tracing are strongly preferred when available. 

Some of the Bluetooth-based proposals respect the individual's right to privacy, whilst others 
would enable (via mission creep) a form of government or private sector surveillance that 
would catastrophically hamper trust in and acceptance of such an application by society at 
large. It is crucial that citizens trust the applications in order to produce sufficient uptake to 
make a difference in tackling the crisis. It is vital that, in coming out of the current crisis, we 
do not create a tool that enables large scale data collection on the population, either now or 
at a later time. Thus, solutions which allow reconstructing invasive information about the 
population should be rejected without further discussion. Such information can include the 
“social graph” of who someone has physically met over a period of time. 

With access to the social graph, a bad actor (state, private sector, or hacker) could spy on 
citizens’ real-world activities. Some countries are seeking to build systems which could 
enable them to access and process this social graph. On the other hand, highly 
decentralized systems have no distinct entity that can learn anything about the social graph. 
In such systems, matching between users who have the disease and those who do not is 
performed on the non-infected users’ phones as anonymously as possible, whilst information 
about non-infected users is not revealed at all. 

To aid the development of contact tracing without a centrally controlled database that holds 
private information on individuals, Google and Apple are developing infrastructure to enable 
the required Bluetooth operations in a privacy protective manner. Teams building the privacy 



protective schemes fully support this effort as it simplifies—and thus speeds up—the ability 
to develop such Apps. We applaud this initiative and caution against collecting private 
information on users. Some who seek to build centralized systems are pressuring Google 
and Apple to open up their systems to enable them to capture more data. 

It is worth noting that the European Parliament on April 17th gave their support to the 
decentralized approach, pointing out by overwhelming majority "that [...] the generated data 
are not to be stored in centralised databases, which are prone to potential risk of abuse and 
loss of trust and may endanger uptake throughout the Union” and demanding "that all 
storage of data be decentralised”. 

There are a number of proposals for contact tracing methods which respect users' privacy, 
many of which are being actively investigated for deployment by different countries. We urge 
all countries to rely only on systems that are subject to public scrutiny and that are privacy 
preserving by design (instead of there being an expectation that they will be managed by a 
trustworthy party), as a means to ensure that the citizen's data protection rights are upheld 

The following principles should be at least adopted going forward: 

• Contact tracing Apps must only be used to support public health measures for the 
containment of COVID-19. The system must not be capable of collecting, processing, 
or transmitting any more data than what is necessary to achieve this purpose. 

• Any considered solution must be fully transparent. The protocols and their 
implementations, including any sub-components provided by companies, must be 
available for public analysis. The processed data and if, how, where, and for how 
long they are stored must be documented unambiguously. Such data collected 
should be minimal for the given purpose. 

• When multiple possible options to implement a certain component or functionality of 
the app exist, then the most privacy-preserving option must be chosen. Deviations 
from this principle are only permissible if this is necessary to achieve the purpose of 
the app more effectively, and must be clearly justified with sunset provisions. 

• The use of contact tracing Apps and the systems that support them must be 
voluntary, used with the explicit consent of the user and the systems must be 
designed to be able to be switched off, and all data deleted, when the current crisis is 
over. 
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Appendix: 

Privacy-preserving decentralized methods of the type referred to in this document include: 

DP-3T: https://aithub.com/DP-3T 
TCN Coalition: https://tcn-coalition.org/ 

PACT (MIT): https://pact.mit.edu/ 

PACT (UW): https://covidsafe.cs.washington.edu/ 

All these teams are committed to working together to make their systems interoperate. They 
aim to provide different decentralized privacy preserving methods which can be adapted by 
countries depending on their local situation. By working together they can ensure that using 
contact tracing in the effort to defeat COVID-19 can be done in a way that protects privacy. 
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